MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caaa9c9e7970d2b215d718f14caf3e7a5af4c640b94dfafeb59fa5aa86dc6af0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: caaa9c9e7970d2b215d718f14caf3e7a5af4c640b94dfafeb59fa5aa86dc6af0
SHA3-384 hash: 9b6fa63d86f6476ae5ad94de49fd1abe3d5fc485bd12a12c1796f137ec4cc438f5bb09d3121a72edd2e8fb6ff35e426d
SHA1 hash: b0315e281ad278f1eee1ca14ea5b09f7894f8b4c
MD5 hash: 856fdddf0efbf47ca918589f0ac48483
humanhash: asparagus-mirror-table-uncle
File name:0x83911d24Fx.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'492 bytes
First seen:2026-02-27 23:52:05 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vId3IJMJWIrzsuIeyFlIcnoLIlFNJIGFGsvUIKoIX3IG8IndIz5DIMt:vId3IJMJWIHDIB/IcoLIlFIOcIKoIX3y
TLSH T1E8515A99037711712EB2AFBBB2A4C4067381D4AA7CD37A09EEEC3CB4499CE483145B43
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://45.135.194.23/Phix/bin.x86d21846945212a64a6e921718a883f68689456108c97d70a09fc6cb058abc5bba Miraielf geofenced mirai ua-wget USA x86
http://45.135.194.23/Phix/bin.mips662dab35f12cd4a5652c9cd2b777d31c1301a0a3dac4e15f4104d52cbbbf7798 Miraielf geofenced mips mirai ua-wget USA
http://45.135.194.23/Phix/bin.mpslb7afc6608ce9059c18685c1d7824c8eae7acb3ae7d257955892512cfd4ef4c9a Miraielf geofenced mips mirai ua-wget USA
http://45.135.194.23/Phix/bin.arm6fa33dd60b92af8e236a7ef8de251783447d10577549378ffa0544d066259499 Miraiarm elf geofenced mirai ua-wget USA
http://45.135.194.23/Phix/bin.arm5bc82e35df6672b1db8125f7c67c27db03640000329039c07a579c8a2ab51d0ac Miraiarm elf geofenced mirai ua-wget USA
http://45.135.194.23/Phix/bin.arm64320598f3314b69df9db11e8841f3f20347da1d2e0dfcbfc3f602a657261bbc8 Miraiarm elf geofenced mirai ua-wget USA
http://45.135.194.23/Phix/bin.arm77c0730fdebdea8477568fd9c950661b944ad0c1e37858cc3b899055751fa5a3c Miraiarm elf geofenced mirai ua-wget USA
http://45.135.194.23/Phix/bin.ppca1fcd4f9b85b6f47ab0ea984986715f522387f937eb54417ba714d027e1874dc Miraielf geofenced mirai PowerPC ua-wget USA
http://45.135.194.23/Phix/bin.m68kba33df6a8370888d2c6a6503dff0977d1f2f423e46684ed104175ca6520d7200 Miraielf geofenced m68k mirai ua-wget USA
http://45.135.194.23/Phix/bin.sh447e07c67b8ddf60e32e77ff58681261b42636a2c3d66eb27a21cb1f484ec13d0 Miraielf geofenced mirai SuperH ua-wget USA
http://45.135.194.23/Phix/bin.spca502021056000926fb478aeab971fb7c260ab6e2296c9650b1e8a2fc1b0acc79 Miraielf geofenced mirai sparc ua-wget USA
http://45.135.194.23/Phix/bin.arc4e0ca3aff2f300ec286db6387653c23b81462dc18afcd9d014951f66f83af4b4 Miraiarc elf geofenced mirai ua-wget USA
http://45.135.194.23/Phix/bin.x86_64c8d65b23105de729fd8373f2a4bb1b6ec46456010dafad8c96631cd94f35cb8f Miraielf geofenced mirai ua-wget USA x86

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/caaa9c9e7970d2b215d718f14caf3e7a5af4c640b94dfafeb59fa5aa86dc6af0/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/caaa9c9e7970d2b215d718f14caf3e7a5af4c640b94dfafeb59fa5aa86dc6af0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/caaa9c9e7970d2b215d718f14caf3e7a5af4c640b94dfafeb59fa5aa86dc6af0/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/caaa9c9e7970d2b215d718f14caf3e7a5af4c640b94dfafeb59fa5aa86dc6af0
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2026-02-27 22:40:10 UTC
File Type:
Text (Shell)
AV detection:
23 of 38 (60.53%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zkvjzhtzodjlefoxddyuzlz6pjnpjrsaxfg7v7vvt6s2vbw4nlya._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:demons antivm botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/260227-3ww1dsb19c/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Enumerates active TCP sockets
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Contacts a large (71376) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/caaa9c9e7970/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/caaa9c9e7970d2b215d718f14caf3e7a5af4c640b94dfafeb59fa5aa86dc6af0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh caaa9c9e7970d2b215d718f14caf3e7a5af4c640b94dfafeb59fa5aa86dc6af0

(this sample)

Mirai

elf d21846945212a64a6e921718a883f68689456108c97d70a09fc6cb058abc5bba

  
URLhaus
https://urlhaus.abuse.ch/url/3787232/
  
Delivery method
Distributed via web download
  
Dropping
MD5 4e0b2d6dd7f2533eaf01a1bfb39fc102
  
Dropping
SHA256 d21846945212a64a6e921718a883f68689456108c97d70a09fc6cb058abc5bba

Comments